Docker Error 500 - Unable to pull image on same instance
-
I am encountering this error for my selfhosted private Docker registry, how to come closer to the probable authentication error?
Docker Error - Unable to pull image mydomain.com/myusername/myapp:1.0.0 Please check the network or if the image needs authentication. statusCode 500In the logs are 10 not successful pull attempts visible.
The Docker registry is hosted on the same Cloudron server, it is Docker Registry App from official App Store.
In the settings if my Cloudron instance, I configured a Private Docker Registry with the same Credentials I used to successfully push the Docker build from local. I changed from Docker to Other just to be sure, with the same credentials.
After building the build, I can successfullypush it with the very same credentials to the private Docker Hub -
N nottheend referenced this topic on
-
N nebulon marked this topic as a question on
-
Thank you!
Basically, pushing a image works to the registry withdocker pushalso on the server (see below.But I seem to have change something and while deploying the app with the
cloudronnpm command, I get an error of an invalid manifest file. Will have to dig into it (I have all required parameters). Probably my project structure is wrong:App installation error: Installation failed: Unable to pull image dockerhub.domain.com/myuser/myapp. message: (HTTP code 404) unexpected - manifest for dockerhub.domain.com/myuser/myapp:latest not found: manifest unknown: manifest unknown statusCode: 404
Logs on server for docker push:
2024-08-11T13:35:40.000Z time="2024-08-11T13:35:40.047968853Z" level=info msg="response completed" go.version=go1.20.8 http.request.host="localhost:5000" http.request.id=ea838230-bda2-414b-aa83-599c00a48956 http.request.method=GET http.request.remoteaddr="[::1]:59814" http.request.uri="/v2" http.request.useragent="Mozilla (CloudronHealth)" http.response.contenttype="text/html; charset=utf-8" http.response.duration="104.432µs" http.response.status=301 http.response.written=39
2.Below is the response for curl -v ```
https://dockerhub.domain.com/v2/_catalog[user]$ curl -v https://dockerhub.domain.com/v2/_catalog
- Host dockerhub.domain.com:443 was resolved.
- IPv6: (none)
- IPv4: xxx.xxx.xxx.xxx
- Trying xxx.xxx.xxx.xxx:443...
- Connected to dockerhub.domain.com (xxx.xxx.xxx.xxx) port 443
- ALPN: curl offers h2,http/1.1
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- CAfile: /etc/pki/tls/certs/ca-bundle.crt
- CApath: none
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
- TLSv1.3 (IN), TLS handshake, Certificate (11):
- TLSv1.3 (IN), TLS handshake, CERT verify (15):
- TLSv1.3 (IN), TLS handshake, Finished (20):
- TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.3 (OUT), TLS handshake, Finished (20):
- SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
- ALPN: server accepted h2
- Server certificate:
- subject: CN=*.domain.com
- start date: 2024 GMT
- expire date: 2024 GMT
- subjectAltName: host "dockerhub.domain.com" matched cert's "*.domain.com"
- issuer: C=US; O=Let's Encrypt; CN=E5
- SSL certificate verify ok.
- Certificate level 0: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
- Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
- Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
- using HTTP/2
- [HTTP/2] [1] OPENED stream for https://dockerhub.domain.com/v2/_catalog
- [HTTP/2] [1] [:method: GET]
- [HTTP/2] [1] [:scheme: https]
- [HTTP/2] [1] [:authority: dockerhub.domain.com]
- [HTTP/2] [1] [:path: /v2/_catalog]
- [HTTP/2] [1] [user-agent: curl/8.6.0]
- [HTTP/2] [1] [accept: /]
GET /v2/_catalog HTTP/2
Host: dockerhub.domain.com
User-Agent: curl/8.6.0
Accept: /- TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
- TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
- old SSL session ID is stale, removing
< HTTP/2 302
< server: nginx
< date: Sun, 11 Aug 2024 13:19:02 GMT
< content-type: text/html
< content-length: 138
< location: https://dockerhub.domain.com/login?redirect=/v2/_catalog
< strict-transport-security: max-age=63072000
< x-xss-protection: 1; mode=block
< x-download-options: noopen
< x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
< referrer-policy: same-origin
< cache-control: no-cache
< set-cookie: authToken=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
<
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html> - Connection #0 to host dockerhub.domain.com left intact
-
@nottheend said in Docker Error 500 - Unable to pull image on same instance:
App installation error: Installation failed: Unable to pull image dockerhub.domain.com/myuser/myapp. message: (HTTP code 404) unexpected - manifest for dockerhub.domain.com/myuser/myapp:latest not found: manifest unknown: manifest unknown statusCode: 404
I am a bit lost by now. Could it just be that the
latesttag and or repository simply does not exist atdockerhub.domain.com/myuser/myapp?Can you otherwise
docker pullfrom for example your laptop with the same image URI ? -
N nebulon has marked this topic as solved on
-
Hmmm
I am now getting this error alsoApp is being installed.
=> Queued .
=> Registering subdomains
=> Downloading image ........................................
App installation error: Installation failed: Unable to pull image docker.domain.uk/cloudron-ocular:v1. registry error: {"reason":"server error","statusCode":500,"json":null}But I can see the image in my docker registry so docker build and docker push is working.
The docker registry is on the Cloudron instance, but this has never been a problem before.Have ensured
docker loginandcloudron install etcworkRunning Cloudron v8.2.3 on Ubuntu 22.04
App install logs show :
box:docker pullImage: will pull docker.domain.uk/cloudron-ocular:v1. auth: no
Is that
auth: nosignificant ?Final log entry :
box:apptask run: app error for state pending_install: BoxError: Unable to pull image docker.domain.uk/cloudron-ocular:v1. registry error: {"reason":"server error","statusCode":500,"json":null} at pullImage (/home/yellowtent/box/src/docker.js:150:50) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async /home/yellowtent/box/src/docker.js:195:122 at async promiseRetry (/home/yellowtent/box/src/promise-retry.js:17:20) at async Object.downloadImage (/home/yellowtent/box/src/docker.js:194:5) at async downloadImage (/home/yellowtent/box/src/apptask.js:243:5) at async install (/home/yellowtent/box/src/apptask.js:337:5) { reason: 'Docker Error', details: {} }
box:tasks setCompleted - 22828: {"result":null,"error":{"stack":"BoxError: Unable to pull image docker.domain.uk/cloudron-ocular:v1. registry error: {"reason":"server error","statusCode":500,"json":null}\n at pullImage (/home/yellowtent/box/src/docker.js:150:50)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async /home/yellowtent/box/src/docker.js:195:122\n at async promiseRetry (/home/yellowtent/box/src/promise-retry.js:17:20)\n at async Object.downloadImage (/home/yellowtent/box/src/docker.js:194:5)\n at async downloadImage (/home/yellowtent/box/src/apptask.js:243:5)\n at async install (/home/yellowtent/box/src/apptask.js:337:5)","name":"BoxError","reason":"Docker Error","details":{},"message":"Unable to pull image docker.domain.uk/cloudron-ocular:v1. registry error: {"reason":"server error","statusCode":500,"json":null}"}}
box:tasks update 22828: {"percent":100,"result":null,"error":{"stack":"BoxError: Unable to pull image docker.domain.uk/cloudron-ocular:v1. registry error: {"reason":"server error","statusCode":500,"json":null}\n at pullImage (/home/yellowtent/box/src/docker.js:150:50)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async /home/yellowtent/box/src/docker.js:195:122\n at async promiseRetry (/home/yellowtent/box/src/promise-retry.js:17:20)\n at async Object.downloadImage (/home/yellowtent/box/src/docker.js:194:5)\n at async downloadImage (/home/yellowtent/box/src/apptask.js:243:5)\n at async install (/home/yellowtent/box/src/apptask.js:337:5)","name":"BoxError","reason":"Docker Error","details":{},"message":"Unable to pull image docker.domain.uk/cloudron-ocular:v1. registry error: {"reason":"server error","statusCode":500,"json":null}"}}
-
In the docker registry app, logs show endless lines like this, but I don’t see errors as such :
Jan 23 11:41:20 127.0.0.1 - - [23/Jan/2025:11:41:20 +0000] "GET /v2 HTTP/1.0" 301 39 "" "Mozilla (CloudronHealth)"
Jan 23 11:41:20 time="2025-01-23T11:41:20.113222934Z" level=info msg="response completed" go.version=go1.20.8 http.request.host="localhost:5000" http.request.id=216d4214-238a-409b-930b-0a1ba5bf2f02 http.request.method=GET http.request.remoteaddr="127.0.0.1:56446" http.request.uri="/v2" http.request.useragent="Mozilla (CloudronHealth)" http.response.contenttype="text/html; charset=utf-8" http.response.duration="258.188µs" http.response.status=301 http.response.written=39
Jan 23 11:41:30 ::1 - - [23/Jan/2025:11:41:30 +0000] "GET /v2 HTTP/1.0" 301 39 "" "Mozilla (CloudronHealth)"
Jan 23 11:41:30 time="2025-01-23T11:41:30.129205782Z" level=info msg="response completed" go.version=go1.20.8 http.request.host="localhost:5000" http.request.id=ea05e778-e39b-47cd-8e12-5bb881512b3b http.request.method=GET http.request.remoteaddr="[::1]:54150" http.request.uri="/v2" http.request.useragent="Mozilla (CloudronHealth)" http.response.contenttype="text/html; charset=utf-8" http.response.duration="82.643µs" http.response.status=301 http.response.written=39
Jan 23 11:41:30 172.18.0.1 - - [23/Jan/2025:11:41:30 +0000] "GET /v2 HTTP/1.1" 301 39 "-" "Mozilla (CloudronHealth)”
Restarted the docker registry app on Cloudron, but same behaviour.
Image is visible in the registry app UI.On local device I can do
docker pull docker.domain.uk/image:tagso I guess the docker registry is ok, UI and images in app visible. And of course thedocker pushcommand worked. -
@timconsidine said in Docker Error 500 - Unable to pull image on same instance:
Is that auth: no significant ?
if the registry requires authentication then yes, this appears significant. Can you check the settings in Private Registry? Are you also able to
docker pullon the cloudron itself? -
@girish yes I can
docker pushanddocker pullon my desktop so auth here is not a problem.
Also I have logged out and logged back in.
Cloudron CLI is able to create the app and sub-domain, so my cloudron auth is ok.
And I can docloudron uninstall —app blah -
@timconsidine the cloudron cli auth is different from the registry auth . I guess you had done docker login at some point in your desktop and this is why push/pull works.
The code is supposed to get the authentication info from the Settings -> Private Docker Registry in this function - https://git.cloudron.io/platform/box/-/blob/master/src/docker.js?ref_type=heads#L112 . Have you configured Private Docker Registry? If so, maybe you can put a couple of console.log in that function to see what is going wrong. Maybe something wrong in the parsing logic
-
Right, back now, and I’ve re-read things, but am still not understanding.
Maybe time to explain like I’m a 5 year old
Docker registry is installed in Cloudron instance from the App store.
No special or changed settings for the registry.
Nothing in the app UI anyway to do so, and I haven’t (consciously) changed/app/data/config.ymland certainly not recently.
Been using this registry for custom app builds and never had a problem, no need to configure it.the cloudron cli auth is different from the registry auth
Yes. I was attempting (badly) to say everything works, well clearly not everything.
I can use cloudron CLI on desktop to install and uninstall
I can use docker CLI on desktop to login / logout of the cloudron-installed registry
I can open the registry app in browser, and can see that it has the custom app image (pushed from desktop).
But cloudron still reports 500, cannot find imageI have 2FA on my cloudron login - I can login to the registry app in a browser without re-entering it, but maybe the cloudron install doesn’t have access to an authenticated login. Is it expecting 2FA ?
authentication info from the Settings -> Private Docker Registry
This has been set, and has never been an issue before.
But has something changed to require 2FA, or a user with no 2FA, or a token not password ? -
@timconsidine your setup seems correct. The 2FA aspect is indeed interesting! Maybe you put password into Private Docker Registry before you enabled 2FA? After you enabled 2FA, just the password is not enough to authenticate. So, you have to generate an App Password from your profile and use that in the Private Docker Registry settings.
-
@timconsidine said in Docker Error 500 - Unable to pull image on same instance:
box:docker pullImage: will pull docker.domain.uk/cloudron-ocular:v1. auth: noIs that auth: no significant ?
2FA note aside, this still seems wrong. It should say auth: yes. The
docker.domain.uk(fromdocker.domain.uk/cloudron-ocular:v1) must match the server address you put in Private Docker Registry UI. -
Existing container registry :
- created an app password
- updated settings for private registry to use that
- desktop terminal : docker logout private registry then docker login with app password : success
- desktop terminal : cloudron logout then cloudron login (with 2FA)
- desktop terminal : cloudron install —image etc : failed
Jan 29 16:11:53 box:tasks update 22945: {"message":"Registering location app.somedomain.uk"}
Jan 29 16:11:53 box:dns upsertDnsRecords: subdomain:app domain:somedomain.uk type:A values:[“46.4.98.999"]
Jan 29 16:11:53 box:dns/manual upsert: app for zone somedomain.uk of type A with values ["46.4.98.999"]
Jan 29 16:11:53 box:dns upsertDnsRecords: subdomain:app domain:somedomain.uk type:AAAA values:["2a01:4f8:140:903a::2"]
Jan 29 16:11:53 box:dns/manual upsert: app for zone somedomain.uk of type AAAA with values ["2a01:4f8:140:903a::9"]
Jan 29 16:11:53 box:tasks update 22945: {"percent":40,"message":"Downloading image"}
Jan 29 16:11:53 box:shell df: df -B1 --output=source,fstype,size,used,avail,pcent,target /var/lib/docker
Jan 29 16:11:53 box:docker downloadImage: docker.domain.uk/cloudron-ocular:v3
Jan 29 16:11:53 box:docker pullImage: will pull docker.domain.uk/cloudron-ocular:v3. auth: no
Jan 29 16:11:53 box:docker Attempt 1 failed. Will retry: Unable to pull image docker.domain.uk/cloudron-ocular:v3. registry error: {"reason":"server error","statusCode":500,"json":null}NB :
authis stillno
Image is visible in browser UI of container registryCreated new container registry app:
- created app password
- updated private registry settings
- desktop terminal : docker logout and login to new registry : success
- desktop terminal : rebuilt app and pushed to new registry (success : checked : visible in app browser UI)
- cloudron install from new registry : failed
Jan 29 16:56:50 box:docker pullImage: will pull mydocker.domain.uk/cloudron-ocular:v5. auth: no
Jan 29 16:56:50 box:docker Attempt 1 failed. Will retry: Unable to pull image mydocker.domain.uk/cloudron-ocular:v5. registry error: {"reason":"server error","statusCode":500,"json":null}I’m lost.
Did I miss something ?Superficially, cloudron is failing to access the container registry installed in the cloudron instance. Other connections seem to be working.
So superficially, it looks like a cloudron problem.
But too much grey hair to accept that at face value. -
Suddden random thought : is there an IPV6 dimension to this ?
No reason for it to affect things (but who knows)
